HIPAA Blog

[ Thursday, March 04, 2010 ]

Red Flags Rule: A major part of the argument that, even if you aren't a "creditor" under the Red Flags Rule, you ought to institute an Identity Theft Prevention Plan anyway.

On another Red Flags note, the rule requires affected businesses to monitor their service providers (at least those who deal with the "accounts" that make the business a "creditor") to make sure they follow the entity's ID Theft Prevention Plan or otherwise have their own plan. Some folks are incorporating Red Flags language into their BAAs; this isn't necessary if your business associate doesn't access those accounts, which many business associates won't. But, if you want one-stop-shopping for your vendor contracts, it's an idea.

BTW, if you're wondering, we're still waiting for a summer start date for the Red Flags rule to be effective against physicians.